Safest way to backup to off-site NAS? (Rsync+SSH?)

Backup and data protection discussion at its finest.

Moderator: Lillian.W@AST

Post Reply
GardG
Posts: 6
youtube meble na wymiar Warszawa
Joined: Wed May 19, 2021 7:42 pm

Safest way to backup to off-site NAS? (Rsync+SSH?)

Post by GardG »

What would be the generally safest way to backup an Asustor NAS to an off-site NAS? In my case, the main NAS would be at the office (which has a static IP etc) and the off-site NAS would be at home.

By "safe" I'm looking for a solution that
- Won't allow malware/ransomware to propagate between sites
- Won't put the office network at risk of being compromised
- Keeps data safe (encrypted) during transfer

The office NAS will be mounted to workstations as an SMB share, so if a workstation is infected with ransomware, it could encrypt the files on the NAS. I'll be taking regular snapshots to protect against that, but in the unlikely case that we're hit by a ransomware which targets Asustor NASes, the snapshots themselves could also be affected. The idea is that the off-site NAS will grab the files from the office NAS regularly and make its own entirely separate snapshots, but be isolated enough not to get hit by the ransomware. So if all the files and snapshots at the office are encrypted by ransomware, even though the off-site files would also be encrypted (when synchronised with the office, that is), we'd still have the snapshots on the off-site NAS.

My idea was to simply connect the off-site NAS to the office as a VPN client, but for all practical purposes, that's the same as connecting it to a switch at the office, so it wouldn't prevent malware from propagating. So instead, I'm considering running Rsync over SSH. That means I'd have to open another port at the office, which I'm a bit reluctant to do, but I'm thinking of implementing the following measures:

- Using a nonstandard (high) port number for SSH
- Using geoblocking, refusing any connections from outside the country (ideally I'd whitelist my home IP, but it's not static)
- Using a public/private key pair for the SSH connection

Is this a reasonable and doable approach or are there better options? The office NAS will be a Lockerstor 4, the home NAS will be a low-end Asustor or Synology (the latter is cheaper)
User avatar
orion
Posts: 3482
Joined: Wed May 29, 2013 11:09 am

Re: Safest way to backup to off-site NAS? (Rsync+SSH?)

Post by orion »

  • Put your off-site NAS behind NAT (home gateway function).
  • Disable all services in off-site NAS (no PnP, no EZ connect...).
  • Don't create user account, Only admin with very strong password in off-site NAS.
  • Don't install the other apps (only default apps) in off-site NAS.
Then, both VPN (client) and RSync (client) should be secure enough.
Post Reply

Return to “Backup and Data Protection”